Ideal Models in Symmetric Cryptography - PowerPoint Presentation

Slide1

Ideal Models in Symmetric Cryptography

Stefano Tessaro

UC Santa Barbara

Visions

of Cryptography

Weizmann InstituteSlide2

Crypto-History [oversimplified]

1982

Cryptographic

algorithms designed from scratch, no proofs, …

2000 BC

Provable security:

Security of cryptosystems formalized and proven under computational assumptions.

Amazingly successfulSlide3

The Sky is the Limit!

Encryption, signatures, multi-party computation, secure delegation, functional encryption, FHE, … Slide4

This Talk – In a Nutshell

This talk:

B

iased selection of problems which

cannot

be studied within the traditional framework of provable security.

Two high-level goals:

Leitmotif:

Security proofs are in

ideal models (e.g. random oracle model, ideal cipher model, etc.)

Survey

a set problems not as widely considered by the core theory community.

1

Thought-provoking:

Foster discussion on ideal models, and show why “we are stuck with them”.

2Slide5

Ideal Models

Cryptographic primitives

–

Set P

of valid “instances”Functions {0,1}* → {0,1

}n

Permutations {0,1}

n → {0,1

}nPairs (

f, op), where f

: Zq

→ {0,1}n, op

(f(a), f

(b)) = f(a + b)

Ideal-

P

model:

Pick P u.a.r from

P

Every algorithm (i.e., attacker, schemes) given access to

P

.

P

C

Random-oracle model

[FiaSha86,BelRog93]

Generic-group model

[Sho97]

Rationale:

Ideal primitive

P

has all security properties expected from

P

-

candidates.Slide6

Ideal Models

F

act.

[

CaGoHa98]

Security proofs in ideal models are not “sound”.

This talk.

Problems motivated by design of efficient and highly-secure constructions of symmetric cryptographic primitives (block ciphers, hash functions).

They are

only way to give “provable” answers.

Security against limited attacker class (i.e., generic attacks) is partially justified by existing cryptanalytic attacks.

Ideal models used in security proofs:

“A proof in an ideal model is better than no proof at all.”Slide7

Outline

Three selected examples:

From Weak to Strong Block Ciphers

1

Hash Functions and Key Derivation

2

Building Ideal Primitives

3Slide8

Pseudorandom Functions [

GoGoMi84]

Keyed

function

F: K × X → Y

F

R

D

D

0/1

0/1

SK

Definition.

F

(T, Q,

e

)-

PRF

:∀(T, Q)-distinguishers

D

:

Pr

[

D

→ 1|left] –

Pr

[

D

→ 1|right] <

e

x

F

(

SK,x

)

x

R

(x) = $

Q adaptive queries

Time T

Random function

R

: X

→

Y

[Typically:

e

=

negl

for T, Q = poly(k) - here we care about

concrete security

]

PRFs ⟹ efficient symmetric encryption, MACs, …Slide9

Candidates: Block Ciphers

E

M

SK

C

E

-1

C

SK

M

E.g.:

AES

, DES, 3DES, IDEA, BLOWFISH, …

|M| = |C| = n

(e.g. n = 128)

E

M’ ≠ M

SK

C’ ≠ C

For every SK: Block cipher is a

permutation

on n-bit strings

|SK| =

k

(e.g. k = 128, 256, …)Slide10

E

Pseudorandom Permutations

[LubRac85]

Block cipher

E: K × X → X

P

D

D

0/1

0/1

SK

Definition.

E

(T, Q,

e

)-

PRP

:∀(T, Q)-distinguishers

D

:

Pr

[

D

→ 1|left] –

Pr

[

D

→ 1|right] <

e.

x

E

(

SK,x

)

x

P

(x)

Random permutation

P

: X

→ X

(+,x)

(+,x)

(-,y)

(-,y)

E

-1

(

SK,y

)

P

-1

(y)

STRONG-PRPSlide11

Pseudorandom Constructions

Building PRFs / PRPs from weaker pseudorandom objects is a central problem both in theoretical and applied cryptography.

E

C

E

Important:

We always have T’ < T.

S

tandard-model provable-security:

If

E

is (T, Q,

e

)

-

PRP

then

C

is

(

T’, Q’,

e

’

)

-

PRF

,

where T

’ ≈ T

Example.

PRF from PRP

PRP

PRF?

Slide12

Our Problem: From Weak to Strong Ciphers

Block-cipher design paradigm:

Design

weak

component

Iterate weak component multiple times

Sequential composition of weak ciphers

Used for 3DES, where E

= DES is insecure (widespread in the electronic payment sector)

M

E

K

1

E

K

2

E

K

3

C

DES

best

attack: 2

42

3DES

best

attack: 2

90

Expectation:

Breaking construction strictly harder than breaking component

Hope: T’ > T! Cannot show this in the standard model under any reasonable assumption on

E

…

Slide13

Amplification of Generic Security

M

E

K

1

E

K

2

E

K

3

C

“Generic” Security Amplification:

Prove that there is no generic attack – treating

E

as a black-box – which breaks sequential composition with complexity less than T’ >> 2

k

.

Observation.

(Exhaustive key search)

E

can always be distinguished with 2

k

computation and Q =

O

(k/n) queries. Slide14

The Ideal Cipher Model

[Sha49]

∀SK

∈ {

0,1}

k: ESK

uar from the set of all permutations {0,1}n

→ {0,1}n

(+,

SK

, M)

IC

C

P

IC

D

D

0/1

0/1

IC

E

SK

(

M)

(-,

SK

, C)

E

SK

-

1

(C)

Q

C

queries

Q

P

queries

SK

Definition.

C

is (Q

C

, Q

P

,

e

)-

strong PRP

if

∀(Q

C

,

Q

P

)-distinguishers

D

:

Pr

[

D

→ 1|left] –

Pr

[

D

→ 1|right] <

e

(+,

SK

, M

), (-, SK , C)

(+,

M), (-, C)

Two query types:

Primitive queries

⟹

“

Local”

computation

Construction

queries

⟹ Key

-dependent access to

primitiveSlide15

The General Problem

IC

C

P

IC

D

D

0/1

0/1

SK

Problem.

Find efficient

C

which is a (

Q

C

, Q

P

,

e =

negl

)-strong PRP for Q

C

, Q

P

both as large as possible

.

Q

C

≤

2

n

Q

P

< 2

n + kSlide16

Two-fold Sequential Composition

E

E

SK

1

SK

2

IC

EE

SK

1

, SK

2

(+, x)

(+, SK

1

, x)

y

(+, SK

2

,

y

)

z

z

x

y

zSlide17

Two-fold Sequential Composition

E

E

SK

1

SK

2

IC

EE

SK

1

, SK

2

D

Meet-in-the-middle attack:

[DifHel76]

z

←

C

(+,

x

)

∀SK’

1

: y[SK’

1

] ←

IC

(+, SK’

1

,

x

)

∀SK’

2

:

y’[SK’

2

] ←

IC

(-, SK’

2

,

z

)

If

∃SK’

1

, SK’

2

: y[SK’

1

] = y[SK’

2

]

then

output

1

Else

output

0

x

z

SK’

1

y[SK’

1

]

y

’[

SK

’

2

]

SK’

2

Fact 1.

Pr

[D → 1|left]

= 1

0/1

Fact 2.

If k < n/2:

Pr

[D → 1

|right] < 1/2

PSlide18

DESX [

Rivest

, 1984

]

E

SK

SK

2

SK

1

Theorem:

[KilRog01]

DESX

is a (Q

C

, Q

P

,

e =

neg

l

)-strong PRP

if Q

C

* Q

P

< 2

n + k

.

Result meaningful even when k = 0

[EveMan96]

Proof succeeds even if SK

1

= SK

2

[DunKelSha11

]

Essentially optimal for one-call constructions

[GazTes12]Slide19

3DES

E

SK

1

E

SK

2

E

SK

3

Caveat:

If Q

C

approaches 2

n

, then

distinguishable with Q

P

=

2

k

queries

.

Theorem:

[BelRog06,GazMau10]

3DES

is a (Q

C

, Q

P

,

e =

neg

l

)-strong PRP as long as Q

C

≤ 2

n

and Q

P

< 2

n/2 + k

.

Alternative:

Back to sequential

composition

! (used in 3DES)Slide20

3DES – Proof Approach

p

p

1

p

2

p

K

p

p

1

p

i

p

K

p

j

p

k

For random

i

, j, k:

p

i,

p

j

p

k

= p

…

…

…

…

…

K = 2

k

Lemma.

Hard to distinguish with fewer than 2

k + n/2

queries.Slide21

Beyond Length 3

E

SK

1

E

SK

2

E

SK

l

Expectation:

Security increases with l.

Theorem.

[

Lee13

]

Security

for Q

P

→

2

k + min{

k,n

}

when

l

→∞. Slide22

Increasing Efficiency [GazTes12]

E

SK

SK’’

E

Theorem:

[GazTes12]

2XOR-Cascade

is a (Q

C

, Q

P

,

e =

neg

l

)-strong PRP

if Q

C

≤ 2

n

and Q

P

<

2

k + n/2

.

SK’

[Same security as 3DES, one block cipher call less]Slide23

XOR Cascades

E

SK

1

E

SK

2

E

SK

l

SK’

1

SK’

2

SK’

3

SK’

l

SK’

l

+ 1

Theorem.

[LPS12,

Lee13

,Gaz13,CheSte13]

Security

for

Q

P

→

2

k + n

when

l →∞.

Optimal!Slide24

Outline

Three selected examples:

From Weak to Strong Block Ciphers

1

Hash Functions and Key Derivation

2

Building Ideal Primitives

3Slide25

Hash Functions

Example:

Block-cipher based hash-

functions

[PGV93]

Practical hash-function constructions are usually only analyzed in ideal models.

Goal:

Optimize concrete security / # calls tradeoff for standard security properties [Hundreds of papers!]

E

X

Y

Z

H

(X, Y) = ZSlide26

Key-Derivation Functions

Goal:

Derive secret-key from low-entropy secret (e.g., password) – PKCS#5 standard

…

H

H

H

Randomly chosen per KDF evaluation

pw ||

salt

S

K

Expectations:

Time to break

should increase linearly

with iteration length.

Time to break

should increase linearly

with

number of independent instances.

Theorem.

[BeRiTe12]

Expectations are true for KDFs from the PKCS#5

standard

(in the ROM).Slide27

Outline

Three selected examples:

From Weak to Strong Block Ciphers

1

Hash Functions and Key Derivation

2

Building Ideal Primitives

3Slide28

So far:

Construction

C

of a primitive Q from a primitive

P achieving specific goal,

with security proof in ideal-P model.

Most ambitious

goal.

Construction C(.) using ideal primitive

P s.t. C(P) “as good as” ideal primitive

Q.“If an application is secure in the ideal-

Q model, then it is secure in the ideal-P model, where calls to

Q are replaced by calls to C(P).”Slide29

Indifferentiability [MaReHo04]

P

C

Q

SIM

D

D

0/1

0/1

Definition.

C

(Q

C

, Q

P

,

e

)-

indifferentiable

: ∃(efficient) SIM∀

D

:

Pr

[

D

→ 1|left] –

Pr

[

D

→ 1|right] <

e

[Typically: efficient = poly(

Q

C

,

Q

P

),

e

=

negl

(k)]

Keyless, deterministic constructionSlide30

Composability

[MaReHo04]

G

Q

0/1

P

C

G

0/1

Arbitrary security game

G

Pr

[

G

→

1|

Q

] =

negl

Pr

[

G

→

1|

C

(

P

)] = ?

Indifferentiability

⟹

Pr

[

G

→ 1|

C

(

P

)] =

negl

SIMSlide31

Indifferentiability Constructions

Literature on

indifferentiability

encompasses by now

hundreds of papers

Standard security notion for hash function constructions (e.g., in SHA-3 competition) “Hash

function has all security properties of a random oracle.”

E

IV

M

1

E

M

2

E

M

l

truncate

Theorem.

[CDMP05]

Construction is

indifferentiable

from a random oracle in the ideal-cipher model.

Typical example

.

Random oracles from ideal ciphersSlide32

Ideal Ciphers from Random Oracles

Theorem.

[

HoKuTe11

] 14-round Feistel is indifferentiable

from a random permutation.

F

1

F

2

F

14

Much more complex than converse.

[CoPaSe08]Slide33

Indifferentiability Constructions

R

andom oracles from fixed input-length random

oracles with optimal security

[…, MauTes07

,…,DodSte11,…]Other constructions

Ideal ciphers from random permutations

[ABDMS13,LamSeu13]

Leads to interesting questions about expander graphs.Slide34

Multi-Stage Games

G

1

Q

0/1

G

2

Examples:

Deterministic encryption

Leakage resilience

…

Observation.

[RSS11]

Indifferentiability

does not imply composition for multi-stage games.Slide35

Multi-Stage Games

New

Goal:

Find good

indifferentiability

-like notions with composition properties for multi-stage games.

Reset

indifferentiability

[RSS11]: Distinguisher is allowed to reset simulator.

Reset indifferentiability sufficient for secure composition in the multi-stage setting.

Many impossibility results: Traditional indifferentiability results are impossible for reset

indifferentiability [DGHM13,BBM13,…]

…Slide36

Conclusions

Ideally

, we would like to avoid ideal models.

A large number of relevant security questions can

only be answered using ideal-model security proofs

.

Ideal models give rise to a rich area of works with interesting theoretical questions

.Slide37

Thank you!Slide38

DESX – Proof Idea

Extend the ideal world:

IC

D

P

1

Transcript:

T

C

= {

(w, z

)}, size

Q

C

T

P

= {(SK’, x, y

)}, size QP

E

SK

SK

2

SK

1

2

Random

SK, SK

1

, SK

2

D

wins if

∃

(w,*)

∈

T

C

:

(SK

, w ⊕

SK

1

, *)

∈

T

P

∃

(*,z

)

∈

T

C

:

(SK

,

*, z

⊕

SK

2

)

∈

T

P

Lemma 1:

e

≤

Pr

[

D

wins]

Lemma 2:

Pr

[

D

wins] ≤ 2

Q

C

Q

P

/ 2

n + k